'''''Migration of a Samba NT4 domain:''' If you plan to migrate an existing Samba NT4 domain to Samba AD, you do not manually provision the domain. The migration is done by the classicupgrade process. Skip this section and follow [[Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_(classic_upgrade)|Migrating a Samba NT4 domain to a Samba AD domain (classic upgrade)]]. Come back afterwards and continue with [[#Testing_your_Samba_Domain_Controller|Testing your Samba Domain Controller]].''

+

'''''Migration of a Samba NT4 domain:''' If you plan to migrate an existing Samba NT4 domain to Samba AD, you do not manually provision the domain. The migration is done by the classicupgrade process. Skip this section and follow [[Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)|Migrating a Samba NT4 domain to a Samba AD domain (classic upgrade)]]. Come back afterwards and continue with [[#Testing_your_Samba_Domain_Controller|Testing your Samba Domain Controller]].''

Introduction

Since version 4.0, Samba can, additionally to a NT4 PDC, act as a Domain Controller that is compatible with Microsoft Active Directory. In the following, we explain how to set up Samba as an Active Directory Domain Controller from scratch. In addition, this documentation is the start for upgrading an existing Samba NT4-style domain to a Samba AD.

Whilst the Domain Controller seems capable of running as a full file server, it is suggested that organisations run a distinct file server to allow upgrades of each without disrupting the other. It is also suggested that medium-sized sites should run more than one DC. It also makes sense to have the DC's distinct from any file servers that may use the Domain Controllers. Additionally using distinct file servers avoids the idiosyncrasies in the winbindd configuration on the Active Directory Domain Controller. The Samba team does not recommend using a Samba-based Domain Controller as a file server, and recommend that users run a separate Domain Member with file shares.

If you are looking for documentation about updating the Samba version of an existing Samba Active Directory Domain Controller, please consult your distribution upgrade procedure or see: Updating Samba.

Samba as an AD DC requires at least version 4.0.0, but it's always recommended to use the latest stable version of Samba. It will contain fixes for bugs from previous releases and may contain improved Microsoft Active Directory compatibility and additional features. See the Samba release plan for more details about the latest maintained versions and their release notes.

Please note that you do not need to install or configure a separate Kerberos KDC for Samba to work. Samba includes an AD compatible KDC, currently based on an included copy of the Heimdal project. Likewise Samba ships its own LDAP implementation for AD backends. OpenLDAP or other LDAP servers are not supported at the moment.

Preconditions

Make sure that your future DC uses a static IP address. DHCP can cause trouble if the address changes.

If resolvconf is installed on your future DC, you should remove this or it may alter your /etc/resolv.conf to point to the wrong nameserver.

Read carefully the Active Directory Naming FAQ for information, frequent pitfalls, etc. about choosing a DNS and NetBIOS name for your AD. Currently Samba AD does not support changing this, so this makes it to an important decision!

Check your /etc/hosts for a correct resolution of the hostname to its IP:

Installation

Make sure that you use a recent Samba and note, that not all distributions currently ship Samba packages, with Active Directory Domain Controller capabilities. One of the reasons is, that some distributions are based on MIT Kerberos, while Samba (currently) only supports Heimdal Kerberos. E. g. Red Hat operating systems (RHEL, CentOS, Fedora, etc.) are affected. In this case, choose one of the other install options.

When Samba sets up the first Domain Controller in a Domain, the provisioning creates an initial Active Directory database. This must be done with root privileges, to enable writing to the installation directory and setting the correct permissions on files and folders.

First make yourself familiar with the possible parameters and options of the provisioning:

# samba-tool domain provision --help

If your Domain Controller has multiple network interfaces, the following two "samba-tool" options are required, to prevent the tool auto-choosing one of the IPv4/IPv6 addresses of the interfaces. Furthermore it is necessary to bind Samba to the desired interface.

--use-rfc2307: Enables NIS extensions. They allow a central management of Unix attributes (UIDs, shells, GIDs, etc.) inside Active Directory. It is recommended to always enable this feature during the provisioning. There are no disadvantages in not using it, but you may later find yourself in a situation where the central management of Unix account/group information becomes a requirement. Enabling it afterwards requires additional work such as manually extending the AD schema. For further information about RFC2307, see General information on RFC2307 and Setting up RFC2307 in AD.

--interactive: Use interactive provisioning. The defaults are the values in the squared brackets, they will be used if no other input is made.

--realm or Realm: Kerberos Realm and AD DNS domain written in upper case. You should always use a subdomain of your domain name (e. g. samdom.example.com). Never use your domain name (example.com) for your Active Directory DNS domain. This prevent you accessing accessing servers using that name, like web server, because the domain is resolved to the IP(s) of your Domain Controller(s) instead! See the Active Directory Naming FAQ for further information and help.

--domain or Domain: NT4 NetBIOS domain name in upper case used by AD for compatibility reasons. Maximum name length: 15 characters. Usually - and that's what we recommend - this is the first part of the AD DNS name. In any case if using something different, make sure that it matches the naming conventions in Active Directory (section "NetBIOS domain names"). Please note, that even if some punctuation marks like periods are allowed, they can cause trouble in some situations and should be avoided! See the Active Directory Naming FAQ for further information and help.

Server Role: 'dc' for Domain Controller.

--dns-backend or DNS backend: Supported DNS backends are the Samba Internal DNS Back End and BIND9_DLZ. We used the default - the internal DNS - in our example above. It is the best choice if you do not have complex DNS requirements. See Which DNS backend should I choose? for a comparison and suggestions. If you have chosen BIND9_DLZ as backend, you must setup and configure BIND, before first starting your Domain Controller. See Configure BIND as backend for Samba AD for further setup information. If you later find out that your DNS backend choice doesn't fit your needs, you can change it afterwards. Do not use BIND9_FLATFILE as the DNS backend. It isn't documented and is not supported! Seeing as AD heavily relies on DNS, the first DC in an AD must act as a DNS server, so you can't choose NONE here.

DNS forwarder IP address: You are only prompted for this information, if you choose the Samba internal DNS as the backend. It defines the IP address of one DNS server, to which DNS queries should be forwarded, when your DNS server isn't authoritative for a zone. Commonly it is your providers DNS server IP address.

Configure DNS

A working DNS is essential for the correct operation of an Active Directory! E. g. without the right DNS entries, Kerberos won't work, which in turn means that many of the basic features won't work. It is worth spending some extra time ensuring your DNS setup is correct, because debugging problems caused by incorrect DNS configuration can take a lot of time later.

Configure /etc/resolv.conf

Your Domain Controller requires a name server that is able to resolve queries to Active Directory zones. Because this is your first Domain Controller in your AD forest, use the DCs IP and domain name in your /etc/resolv.conf:

domain samdom.example.com
nameserver 10.99.0.1

Testing DNS

To test that DNS is working properly, run the following commands and compare the output to what is shown:

If you receive any errors, check your system logs to locate the problem.

Configure Kerberos

Configure /etc/krb5.conf

Kerberos is an important part of Active Directory. Typically the configuration is done in /etc/krb5.conf. During provisioning, a working sample configuration will be created. You can replace your krb5.conf file with the sample by copying or creating a symlink:

# ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf

If you cannot find your copy of krb5.conf, or just want to create it yourself, /etc/krb5.conf needs to look like this:

Configure NTP

Active Directory requires close time synchronization between all participant machines for Kerberos to work properly. It's highly recommended to use NTP or another form of time synchronization on your Domain Controller! The Time Synchronisation documentation will provide all necessary information, to configure NTP on an AD Domain Controller.

Using a DC as a fileserver

The Samba team does not recommend using a Samba AD DC as a 'fileserver', but accepts that sometimes a DC might have to be used in such a way.
Before going down that path, it is recommended that you run another instance of Samba inside a VM and use this as a fileserver instead.

If you cannot, or do not want to do this, you will need to set up the libnss links, for instructions on how to do this see here.